ISO/IEC 27001:2022 requires the organization to define and apply an information security risk treatment process and to prepare a risk treatment plan. This is a mandatory requirement within clause 6 on planning. The purpose of the plan is to define how identified information security risks will be treated, which controls will be selected, and how the treatment decisions will be implemented. Therefore, it is not optional guidance or an audit note, but a formal requirement. For that reason, option B is correct.

=======

ISO/IEC 27001:2022 assigns accountability for the information security policy to top management. Top management must ensure that the policy and objectives are established and are compatible with the strategic direction of the organization. Top management is also responsible for promoting and supporting compliance with the ISMS requirements throughout the organization. Therefore, option B is correct.

=======

ISO/IEC 27001:2022 requires information security objectives to be established at relevant functions and levels, to be consistent with the information security policy, to be measurable if practicable, and to be monitored, communicated, and updated as appropriate. It also requires documented information on the objectives. Among the answer choices, option C is the best single answer because it expresses one of the core mandatory characteristics of the objectives. Even though options B and D are also requirements, the question asks for one answer only, and option C is the most fundamental wording in the set.

=======

A vulnerability is a weakness of an asset, control, or other element that can be exploited by one or more threats. In information security risk assessment, vulnerabilities are considered together with threats, likelihood, and impact in order to understand and evaluate risk. A threat is a potential cause of an unwanted incident, while impact refers to the consequence. Therefore, option C is correct.

=======

ISO/IEC 27001:2022 requires top management to demonstrate leadership and commitment by ensuring that the information security policy and information security objectives are established and are compatible with the strategic direction of the organization. Top management must also integrate ISMS requirements into the organization’s processes, ensure resources are available, support relevant roles, and promote continual improvement. The standard does not allow leadership accountability to be replaced by a consultant or a volunteer. Therefore, option A is correct.

=======

A specific leadership responsibility in ISO/IEC 27001:2022 is for top management to communicate the importance of effective information security management and of conforming to the ISMS requirements. This communication role is part of demonstrating leadership and commitment, helping create organizational awareness and support for the ISMS. Therefore, option B is correct.

=======

ISO/IEC 27001:2022 requires documented information to be controlled so that it is adequately protected. The standard specifically refers to protection from issues such as loss of confidentiality, improper use, and loss of integrity. It also requires documented information to be available and suitable for use where and when needed. The standard does not require a consultancy, specific tools, or a single designated expert to meet this requirement. Therefore, option D is correct.

One of the explicit leadership responsibilities in ISO/IEC 27001:2022 is for top management to communicate the importance of effective information security management and of conforming to the ISMS requirements. This communication helps demonstrate visible commitment and organizational direction. Conducting internal audits and defining the risk assessment approach are important activities within the ISMS, but they are not the best direct expression of top management’s evidence of commitment among the options listed. Therefore, option A is correct.

=======

ISO/IEC 27001:2022 requires top management to demonstrate leadership and commitment with respect to the ISMS. This includes ensuring that the information security policy and objectives are established, ensuring that the resources needed for the ISMS are available, and promoting continual improvement. Top management is also responsible for supporting relevant roles and ensuring that the ISMS achieves its intended outcomes. Since all of the listed activities align with top management responsibilities, option D is correct.

=======

Residual risk is the risk that remains after risk treatment has been applied. In an ISMS, organizations assess risks, select treatment options, and implement controls or other measures to reduce risk to an acceptable level. Even after treatment, some level of risk may still remain, and that remaining portion is called residual risk. Therefore, option C is correct.

=======